Suspected Iranian cyberattack on key US infrastructure probed by security agency
According to the Cybersecurity & Infrastructure Security Agency (CISA), a US water treatment plant has been hacked by hackers.
The hackers breached the facility by exploiting the poor standard security measures of Unitronic Programmable Logic Controllers (PLCs).
CISA confirmed that the PLCs were the source of the breach, but the agency stated that the hackers did not compromise the water at the facility.
Vulnerabilities must be closed
The PLCs targeted by the hackers are typically responsible for the control and management of critical infrastructure, and can be used maliciously within a water supply to contaminate the water supply, disable the municipal water supply, or damage structures within the supply.
a similar attackattributed to Iranian hackers, took place targeting a water supply in Philadelphia, but CISA has not confirmed who was behind the latest attack.
In a rack from CISA on the attack, the agency reported: “Cyber threat actors are targeting PLCs associated with WWS facilities, including an identified Unitronics PLC, at a U.S. water supply.”
“In response, the affected municipality’s water board immediately took the system offline and switched to manual operation. There is no known risk to the municipality’s drinking water or water supply.”
CISA has also released guidance for organizations on how to keep Unitronic PLCs safe:
- Change Unitronics PLC default password: check that the default password “1111” is not in use.
- Require multi-factor authentication for all remote access to the OT network, including from the IT network and external networks.
- Disconnect the PLC from the open internet. If remote access is required, implement a firewall/VPN in front of the PLC to control network access to the remote PLC. A VPN or gateway device can enable multi-factor authentication for remote access even if the PLC does not support multi-factor authentication. Unitronics also has a secure long-distance mobile transportation device that is safe for their cloud services.
- Back up the logic and configurations on all Unitronics PLCs to enable quick recovery.
- Become familiar with the process for factory reset and deploying configurations to a device in the event you are affected by ransomware.
- If possible, use a TCP port other than the standard port TCP 20256. Cyber actors are actively targeting TCP 20256 after identifying it through network probing as a port associated with Unitronics PLC. Once identified, they use scripts specific to PCOM/TCP to query and validate the system, allowing further investigation and connection. If available, use PCOM/TCP filters to parse the packets.
- Update PLC/HMI to the latest version of Unitronics.